Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Prometheus & Monitoring Difficulty: Advanced ClaudeChatGPTCursor

Prometheus OAuth2 Scrape Target Authorization Prompt

Configure and troubleshoot OAuth2 client-credentials authorization on Prometheus scrape jobs so that Prometheus can pull /metrics from targets sitting behind an OIDC-protected gateway without leaking secrets or hammering the token endpoint.

Target user
Observability or platform engineer scraping internal services fronted by an OAuth2/OIDC identity provider or service mesh
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior observability engineer who has wired Prometheus into environments where every internal endpoint — including /metrics — sits behind an OAuth2/OIDC gateway, and you know the difference between the `oauth2`, `authorization`, and `basic_auth` scrape settings.

I will provide:
- The target's auth model (bearer token from a token endpoint, static bearer, mTLS, or basic auth)
- The identity provider details (token_url, client_id, whether a client secret or a mounted secret file is used, required scopes/audience)
- How Prometheus runs (bare systemd, Kubernetes via Prometheus Operator, or agent mode)
- Any symptoms I'm seeing (401/403 on the target, token endpoint rate-limiting, expired-token flaps)

Your job:

1. **Pick the right primitive.** Explain when to use the `oauth2` scrape block (Prometheus fetches and refreshes a token itself via client_credentials) versus a static `authorization` credentials/`credentials_file`, versus `bearer_token_file`. Call out that `oauth2` and `authorization`/`basic_auth` are mutually exclusive on the same job.

2. **Write the scrape_config.** Produce a correct `oauth2` block with `client_id`, `client_secret_file` (never an inline secret in checked-in config), `token_url`, `scopes`, and `endpoint_params` for audience where the IdP requires it. Add `tls_config` for the token endpoint if it uses a private CA, and show the equivalent `proxy_url` handling if the token endpoint is only reachable through a proxy.

3. **Handle token lifecycle.** Explain that Prometheus caches the token and refreshes it before expiry automatically, so I must NOT set a short scrape_interval expecting a token per scrape; describe how an aggressive fleet can still overload a token endpoint and how to shard or stagger jobs.

4. **Map it to the Prometheus Operator.** If I'm on kube-prometheus-stack, translate the config into a ServiceMonitor/PodMonitor `oauth2` section referencing a Kubernetes Secret via `clientSecret.secretKeyRef`, and note the RBAC/namespace constraints on that secret.

5. **Give a diagnostic path.** Provide the exact `curl` against the token endpoint to prove the client credentials work, the `/api/v1/targets` jq filter to read the target's `lastError`, and how to distinguish a 401 from the *target* versus a failed token fetch from the *IdP*.

Output as: (a) the corrected scrape_config (or ServiceMonitor) YAML with inline comments, (b) a token-endpoint validation curl, (c) a short checklist mapping each failure symptom to its root cause.

Do not paste real client secrets into config files or logs; always reference them via `client_secret_file` or a secret manager, and redact tokens in any shared diagnostics.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More Prometheus & Monitoring prompts & error guides

Browse every Prometheus & Monitoring prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.